package com.cmy.lesson2;

import com.cmy.lesson2.utils.JdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

/**
 * @Author Void
 * @Description //TODO 测试sql注入
 * @Date 12:04 2021/3/10
 * @Param
 * @return
 **/
public class SqlInjection {
    public static void main(String[] args) {
        login("'or '1=1","'or '1=1");
    }

    public static void login(String username,String password) {
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        try {
            conn = JdbcUtils.getConnection();
            st = conn.createStatement();

            //select * from `users` where `NAME` = ''or '1=1' AND `PASSWORD` = ''or '1=1'(拼接后查出全部)
            String sql =
                    "select * from `users` where `NAME` = '" +username+ "' AND `PASSWORD` = '"+password+"'";

            rs = st.executeQuery(sql);
            while (rs.next()){
                System.out.println("name = "+rs.getString("NAME"));
                System.out.println("password = "+rs.getObject("PASSWORD"));
            }

        } catch (SQLException throwables) {
            throwables.printStackTrace();
        }finally {
            JdbcUtils.release(conn,st,rs);
        }
    }
}

    